Hi I have two <security-constraint> elements in my deployment descriptor.
One has auth-constraint <role-name>*</role-name>, and the other does not have any <auth-constraint>. They both have a same <url-pattern>. By SRV.12.8.1 Combining Constraints: <quote> A security constraints that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. </quote> Applying to the attached .war file, my interpretation of this is access to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code 401 (Authorization Required). Cheers Nam -- Random humorous quote: Work is the greatest thing in the world, so save some for tomorrow.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]